Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit
There are many ways to spread it besides a virus. Zillions of 'em. And
There are zillions (what, more than one thousand?) ways to get someone to run a random piece of software that will capture their keystrokes? I don't believe you. Name six. /r$
Rich Salz <rsalz@osf.org> writes:
There are many ways to spread it besides a virus. Zillions of 'em. And
There are zillions (what, more than one thousand?) ways to get someone to run a random piece of software that will capture their keystrokes?
I don't believe you. Name six.
I think I'll go on a tangent: Many, many, many years ago, when I was a little kid, I wrote several "cool" games that I uploaded to various BBS's. The games kept track of high scores and saved them in a file. At that time there were a few popular BBS programs for PC DOS (Fido, PC Board, RBBS, et al) which stored their passwords in fairly standard locations. When the games saved the high scores, they also looked in these standard locations. Invariably, when I downloaded the same games a few days later, I would discover that the BBS's sysops played the game, and made the archive with their high scores available for downloading. ObCrypto: the high scores were encrypted together with the shell passwords. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
On Mon, 29 Jan 1996, Rich Salz wrote:
There are many ways to spread it besides a virus. Zillions of 'em. And
There are zillions (what, more than one thousand?) ways to get someone to run a random piece of software that will capture their keystrokes?
Not wishing to get in the middle of this controversy, I have been wondering about the possibility of using a JAVA applet to do keyboard sniffing. As I am not familiar with this language, does anyone know if this would be possible? Regards, Tim Philp
There are many ways to spread it besides a virus. Zillions of 'em. And
There are zillions (what, more than one thousand?) ways to get someone to run a random piece of software that will capture their keystrokes?
Not wishing to get in the middle of this controversy, I have been wondering about the possibility of using a JAVA applet to do keyboard sniffing. As I am not familiar with this language, does anyone know if this would be possible?
From what I've read about Java, it is not possible to use Java in this way. But keep in mind that while I've got this neat-o book on Java at my elbow, I'm not independently wealthy nor am I a college student with lots of time on his hands, so I haven't gotten very far into the book. But from what I've read and heard, it's not possible to compromise the integrity of the interpreter - unless, of course, you buy into the conspiracy crap that FV is trying to sell, and an Evil Computer Genius has managed to replace your Java interpreter with one of his own design, which he then uses to subvert your entire operating system and machine, etc. <insert sound of manicial laughter here> ;) -- Ed Carp, N7EKG Ed.Carp@linux.org, ecarp@netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp@netcom.com for PGP 2.5 public key an88744@anon.penet.fi
"Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes
-----BEGIN PGP SIGNED MESSAGE----- (sorry, no discussion of FV or pleasant coffee aromas in this message) Tim Philp writes:
I have been wondering about the possibility of using a JAVA applet to do keyboard sniffing. As I am not familiar with this language, does anyone know if this would be possible?
If you are running a broken or Trojan interpreter or class loader, then you're probably sunk regardless, because it can execute whatever deleterious code it wishes. (I say "probably" because I suppose you might have some separate watchdog program monitoring the actions of the interpreter. But ultimately that's just part of an infinite regress: the watchdog could also be compromised, etc. ad infinitum.) The I/O class libraries don't offer calls anywhere near as deep as the hardware keyboard interrupts. About all you can do is read a byte or a line of input, as in any common programming language, but that's different than surreptitiously reading bits when they are read as input by some other program. I don't see how you could build a keyboard sniffer in Java unless you could somehow trick the interpreter into feeding an input stream to an additional process. Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops up an innocuous dialog box and asks you to enter some sensitive piece of information, then sends it off somewhere. About all it takes to write that is a modicum of skill in user interface design. You could write it in any programming language, but in Java it may be particularly effective, since people may come to expect to be prompted for sensitive info over the net by Java apps. Maybe the Java folks who just left Sun decided to seize the opportunity ;> Futplex <futplex@pseudonym.com> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQ2afinaAKQPVHDZAQFfkAf/SKDoP6D8BvbBPBScMTS5t51k6n4uI9KJ AcmIFxheQzpWcJd0qh1Vo2OClHmgWWUbekWsNcC9vfWPMqcQTju+DFc+/ncbg7PQ F4dTgRm2pIVs70lsTd8hFaAauAagqmuEzyhYXv3XGT/gdMuSOJ/z84cp/yK0VpdQ N0UpsONTjarx9DIvun14x8UU77SqXgvOz0F/n309TiLkVYSNBsUzk7ub6hdk4Q1a ay/8rP6m7ZqpFTWXKGmPjUne7gfX0VmJPcePB5d9hr585e/0oCgCWHg40kfUJnOs MRrj7ot86yGEVEdR3ykmEo5XoFD1WxuvXpdDq5EwR3QvtNyTfMh/Ew== =1j5R -----END PGP SIGNATURE-----
On Mon, 29 Jan 1996, Futplex wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Tim Philp writes:
I have been wondering about the possibility of using a JAVA applet to do keyboard sniffing. As I am not familiar with this language, does anyone know if this would be possible?
program. I don't see how you could build a keyboard sniffer in Java unless you could somehow trick the interpreter into feeding an input stream to an additional process.
Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops up an innocuous dialog box and asks you to enter some sensitive piece of information, then sends it off somewhere. About all it takes to write that is a modicum of skill in user interface design. You could write it in any programming language, but in Java it may be particularly effective, since people may come to expect to be prompted for sensitive info over the net by Java apps.
Hmm. Actually, what do Java dialog prompts look like? Is there any indication that they come from Java, or can they be made to look like any dialog from any program, or the OS itself? I suppose this is implementation-dependent. One "neat" trick would be an applet that sleeps for several minutes and then suddenly pops up asking for your system password, or something. A heck of a lot of people fell for something much more primitive at AOL. -rich
Rich Graves writes:
Hmm. Actually, what do Java dialog prompts look like? Is there any indication that they come from Java, or can they be made to look like any dialog from any program, or the OS itself? I suppose this is implementation-dependent.
Yes, it's completely dependent on the AWT implementation. (Or, of course, on the implementation of whatever graphical library provided by the particular Java runtime environment in question.) The "standard" AWT that's used in the Netscape (and maybe HotJava) web browsers decorates all windows applets create such that it's obvious they're there. It is designed to be impossible for the applet itself to corrupt the AWT such that the windows don't bear that decoration. (Whether the design works as advertised is a question worth asking, of course.) ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5@tivoli.com * m101@io.com * I want more, I want more ... <URL:http://www.io.com/~m101> *_______________________________
Jon Lasser writes:
But the fact that Java windows are obvious doesn't seem to really speak to the question of can they be faked from *outside* Java.
If you need to worry about something showing up on your machine that's capable of creating fake input dialogs on your screen, I claim you have some serious problems.
In fact, very distinctive windows for Java are likely to increase the success of an attack which duplicates the window decorations perfectly, because people will be used to it.
But if by being used to such windows people understand that they're not necessarily to be trusted, I don't see why that'd be an attractive way of slipping in a trojan horse. I mean, if you want to give somebody a trojan horse, you don't hang a sign around its neck reading "I am a trojan horse". ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5@tivoli.com * m101@io.com * I want more, I want more ... <URL:http://www.io.com/~m101> *_______________________________
-----BEGIN PGP SIGNED MESSAGE----- Mike M^cNally writes:
But if by being used to such windows people understand that they're not necessarily to be trusted, I don't see why that'd be an attractive way of slipping in a trojan horse.
Well, that "if" is a critical hypothetical. I'm assuming a model in which people perform most of their legitimate network transactions through Java windows. So I think they will be accustomed to typing financial identifiers or whatnot into windows labelled "Untrusted Applet Window". Many will become desensitized to the UAW warning label. I believe the work on authenticating applet servers to client in terms of signed Java classes, etc. is the most promising long-term approach. ObNSB: Although I seem to be cast as an opponent of Java adoption in this thread, I'm actually a fan of Java and expect to write some Java code RSN. Futplex <futplex@pseudonym.com> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQ7BYSnaAKQPVHDZAQFN9wf5AYOhtNHy2nGvQ7t/SNKy6P9Qay2K4qEY rMIdtzHBrSpjTHq5HPZSG7YmNhd/trBpH42uUufL+WD+gDj6/amPHDV6kwdmS32d tS28ECiZlnUidF9+PcaIISuBLiD6g67j9I8KAVdejxg79pTLNFNvjoz22oPZqRq2 PEZI/YXCm7B6J4T6WDauuMKwaMWL78NBe1Udq3o2q2AAUjQfJRkqT4I0hZe2fAEE mpzNtIOHxDIhRVULEVC1XXPecxyOh/A070knxw3DFGLIL24oCJhODgEG1DKtKqHB nnt5wYTpO2+vNLuOB14TdRu8fGorctvElu8ozTkrtpDFXoEgZwYVLg== =96ZK -----END PGP SIGNATURE-----
futplex@pseudonym.com writes:
I believe the work on authenticating applet servers to client in terms of signed Java classes, etc. is the most promising long-term approach.
Sure. And it's also important to keep in mind that everyday some dimwit falls prey to the pigeon drop or some other "meat-to-meat" scam. It'll take a few years for people to get used to security concerns on the net, just like it took a few years for people to figure out that you really would die if you drove your new Model T like a maniac.
ObNSB: Although I seem to be cast as an opponent of Java adoption in this thread, I'm actually a fan of Java and expect to write some Java code RSN.
Me too. There are so many "but can Java do that?" questions floating around in all sorts of bizarre contexts that it's easy to lose sight of all the nice things about a nifty interpreted language. ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5@tivoli.com * m101@io.com * I want more, I want more ... <URL:http://www.io.com/~m101> *_______________________________
On Tue, 30 Jan 1996, Mike McNally wrote:
Rich Graves writes:
Hmm. Actually, what do Java dialog prompts look like? Is there any indication that they come from Java, or can they be made to look like any dialog from any program, or the OS itself? I suppose this is implementation-dependent.
Yes, it's completely dependent on the AWT implementation. (Or, of course, on the implementation of whatever graphical library provided by the particular Java runtime environment in question.)
The "standard" AWT that's used in the Netscape (and maybe HotJava) web browsers decorates all windows applets create such that it's obvious they're there. It is designed to be impossible for the applet itself to corrupt the AWT such that the windows don't bear that decoration. (Whether the design works as advertised is a question worth asking, of course.)
But the fact that Java windows are obvious doesn't seem to really speak to the question of can they be faked from *outside* Java. In fact, very distinctive windows for Java are likely to increase the success of an attack which duplicates the window decorations perfectly, because people will be used to it. Eternal vigilance, etc. J.L. ------------------------------------------------------------------------------ Jon Lasser <jlasser@rwd.goucher.edu> (410)494-3072 Visit my home page at http://www.goucher.edu/~jlasser/ You have a friend at the NSA: Big Brother is watching. Finger for PGP key.
-----BEGIN PGP SIGNED MESSAGE----- On Jan 29, 11:12pm, Futplex wrote:
Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops up an innocuous dialog box and asks you to enter some sensitive piece of information, then sends it off somewhere. About all it takes to write that is a modicum of skill in user interface design. You could write it in any programming language, but in Java it may be particularly effective, since people may come to expect to be prompted for sensitive info over the net by Java apps. Maybe the Java folks who just left Sun decided to seize the opportunity ;> Since the Java stuff that I'm running around here either (a) is from netscape, which jams a little line saying, "Untrusted Java Applet" at the bottom of each window a Java applet creates or (b) is run by me, by hand, from the command line, using either the interpreter or the appletviewer... I don't think this is much of a threat. I see much more difficulties with javascript.
richard - -- Richard Martin Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team] rmartin@aw.sgi.com/g4frodo@cdf.toronto.edu http://www.io.org/~samwise Trinity College UofT ChemPhysCompSci 9T7+PEY=9T8 Shad Valley Waterloo 1992 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ4syB1gtCYLvIJ1AQGjGAP9GpTWkaY4wtknB2C/emCJ++5ZFmm4s/DV CPbhOhSiOIQWhDCZuhGqE3ltK1xnDqz2TqnoF8xzGRSiXTVJewsTW+fzsmq0wBJ9 GbqWiA1aWatju02zxL4QWJUBxK9LSEKnmQfWlodRIySUdIhQb35Wm8wzqqGUdm9o FS3TXrIsbNQ= =b64Y -----END PGP SIGNATURE-----
Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops up an innocuous dialog box and asks you to enter some sensitive piece of information, then sends it off somewhere. About all it takes to write that is a modicum of skill in user interface design. You could write it in any programming language, but in Java it may be particularly effective, since people may come to expect to be prompted for sensitive info over the net by Java apps. Maybe the Java folks who just left Sun decided to seize the opportunity ;>
But both Sun's and Netscape's implementations make Frame (new toplevel) windows have "Untrusted Applet Window" sprawled across the bottom of them. On a (kinda) related note someone from Sun posted to c.l.java that they're going to be releasing a signing mechanism for applets soon. You'll be able to verify that the code comes from where it says it does so at least when it steals your CC# you'll know whom to go hunt down. --- Fletch __`'/| fletch@ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------
Ed Carp writes:
Not wishing to get in the middle of this controversy, I have been wondering about the possibility of using a JAVA applet to do keyboard sniffing. As I am not familiar with this language, does anyone know if this would be possible?
From what I've read about Java, it is not possible to use Java in this way.
Because Java is a general-purpose programming language, it is indeed possible to use Java to do keyboard sniffing, just like it's possible to use it for an adventure game, or system management software, or anything else you can imagine a general-purpose programming language being used for. The real question is, "can I use a Java applet in the context of a particular Java virtual machine implementation (like, maybe, the Netscape Navigator web browser) to do keyboard sniffing?". The Java interpreter is only as secure as the wrapper implementation wants it to be. For lots of purposes, you don't need or want any more security for a Java program than you would for a C++ program. ______c_____________________________________________________________________ Mike M Nally * Tivoli Systems * Austin TX * I want more, I want more, m5@tivoli.com * m101@io.com * I want more, I want more ... <URL:http://www.io.com/~m101> *_______________________________
My mailer insists that Nathaniel Borenstein wrote:
Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich Salz@osf.org (255)
There are many ways to spread it besides a virus. Zillions of 'em. And
There are zillions (what, more than one thousand?) ways to get someone to run a random piece of software that will capture their keystrokes?
Yes, zillions, although I'm not using that as a technical term.
I don't believe you. Name six.
Sure thing, always glad to clarify my claims.
1. (my current favorite) post it to MSN. There, Microsoft has made getting infected with a Trojan Horse as easy as clicking on an icon embedded in a mail or news message. (You want to try convincing the average consumer that it isn't safe, if Microsoft makes it that easy?)
2. Get the sources to a public domain image viewer. Change them slightly. Claim that you've improved it by 13.7%. Post your improved (and infected) image viewer to the net.
3. Ditto for an audio viewer, a mail reader, a news reader,.... (zillions right there alone)
I count numbers 1, 2 and 3 as one way (Trojan Horse).
4. Imitate the IBM Christmas exec. Break into someone's site and steal their mail aliases file. Now send mail to everyone on their alias list, pretending to be them, offering them a cute animation program they can install. The animation will happen, but it will also send mail to all THEIR aliases (like the Christmas exec) and (unlike that) install our malicious snooping software.
If you can break in that far, I can think of much more imaginative things to do with the access.
5. Write a genuinely useful program (or a game) of your own, but embed your attack in it.
Again, 4 and 5 are the same as 1,2 and 3. (I thought I smelled horse biscuits.)
(Caution: Being the real author will increase your traceability.)
Insultingly obvious.
6. Write a pornographic screen saver. Not only will zillions of people download it, but they will EXPECT the code to watch keystrokes.
YATH (Yet Another Trojan Horse)
7. [*maybe*] Spread it by Java applet. This is a maybe because the level of Java security seems to be browser-discretionary. Even a relatively conservative let-the-user-choose approach like Netscape's, however, can be defeated with a little social engineering, as in "this is a really cool Java applet to do XYZ, but you'll have to set Netscape's Java security level to minimum to run it....."
Yes. Trojan Horse. Whinny. Neigh.
8. Internet-based breakin/installations, e.g. to NT or anything else that runs incoming services.
Ahh, finally something other than a Trojan Horse attack, but it only affects sites with poor security. In that case, this attack is the least of their problems.
9. Traditional virus techniques.
Oh, you only asked for 6, sorry..... Feel free to ignore a few.
Wow, a whole three different attacks and most of them much more useful for things other than gathering credit card numbers. It's sad to think that a lot of people may actually believe this crap. Let's just hope that enough technical users provide rebuttals in the other fora where this stuff appears. --- Paul M. Cardon -- I speak for myself. 'nuff said. MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e
Excerpts from mail: 29-Jan-96 Re: FV Demonstrates Fatal F.. Rich Salz@osf.org (255)
There are many ways to spread it besides a virus. Zillions of 'em. And
There are zillions (what, more than one thousand?) ways to get someone to run a random piece of software that will capture their keystrokes?
Yes, zillions, although I'm not using that as a technical term.
I don't believe you. Name six.
Sure thing, always glad to clarify my claims. 1. (my current favorite) post it to MSN. There, Microsoft has made getting infected with a Trojan Horse as easy as clicking on an icon embedded in a mail or news message. (You want to try convincing the average consumer that it isn't safe, if Microsoft makes it that easy?) 2. Get the sources to a public domain image viewer. Change them slightly. Claim that you've improved it by 13.7%. Post your improved (and infected) image viewer to the net. 3. Ditto for an audio viewer, a mail reader, a news reader,.... (zillions right there alone) 4. Imitate the IBM Christmas exec. Break into someone's site and steal their mail aliases file. Now send mail to everyone on their alias list, pretending to be them, offering them a cute animation program they can install. The animation will happen, but it will also send mail to all THEIR aliases (like the Christmas exec) and (unlike that) install our malicious snooping software. 5. Write a genuinely useful program (or a game) of your own, but embed your attack in it. (Caution: Being the real author will increase your traceability.) 6. Write a pornographic screen saver. Not only will zillions of people download it, but they will EXPECT the code to watch keystrokes. 7. [*maybe*] Spread it by Java applet. This is a maybe because the level of Java security seems to be browser-discretionary. Even a relatively conservative let-the-user-choose approach like Netscape's, however, can be defeated with a little social engineering, as in "this is a really cool Java applet to do XYZ, but you'll have to set Netscape's Java security level to minimum to run it....." 8. Internet-based breakin/installations, e.g. to NT or anything else that runs incoming services. 9. Traditional virus techniques. Oh, you only asked for 6, sorry..... Feel free to ignore a few. -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
Nathaniel Borenstein said:
I don't believe you. Name six.
Sure thing, always glad to clarify my claims.
1. (my current favorite) post it to MSN. There, Microsoft has made getting infected with a Trojan Horse as easy as clicking on an icon embedded in a mail or news message. (You want to try convincing the average consumer that it isn't safe, if Microsoft makes it that easy?)
2. Get the sources to a public domain image viewer. Change them slightly. Claim that you've improved it by 13.7%. Post your improved (and infected) image viewer to the net.
Trojan horse. This is the same as #1.
3. Ditto for an audio viewer, a mail reader, a news reader,.... (zillions right there alone)
Zillions of trojan horses...all the same. I guess you can call the source credit.asm, sniffer.c, capture.bas or any number of other names, too...geez, there's another few zillion.
4. Imitate the IBM Christmas exec. Break into someone's site and steal their mail aliases file. Now send mail to everyone on their alias list, pretending to be them, offering them a cute animation program they can install. The animation will happen, but it will also send mail to all THEIR aliases (like the Christmas exec) and (unlike that) install our malicious snooping software.
Another trojan horse.
5. Write a genuinely useful program (or a game) of your own, but embed your attack in it. (Caution: Being the real author will increase your traceability.)
Another trojan horse.
6. Write a pornographic screen saver. Not only will zillions of people download it, but they will EXPECT the code to watch keystrokes.
Another trojan horse.
7. [*maybe*] Spread it by Java applet. This is a maybe because the level of Java security seems to be browser-discretionary. Even a relatively conservative let-the-user-choose approach like Netscape's, however, can be defeated with a little social engineering, as in "this is a really cool Java applet to do XYZ, but you'll have to set Netscape's Java security level to minimum to run it....."
"...and type your CC# into a box that advertises itself as an 'insecure foreign applet'" or some such thing. Far as I can tell you can't hook the keyboard this way, just ask people to give you the number. And then you can only send it back to wherever the applet came from.
8. Internet-based breakin/installations, e.g. to NT or anything else that runs incoming services.
9. Traditional virus techniques.
Oh, you only asked for 6, sorry..... Feel free to ignore a few.
I count 4. -- Paul Foley Email: <mycroft@actrix.gen.nz>
Paul Foley <paul@mycroft.actrix.gen.nz> writes:
4. Imitate the IBM Christmas exec. Break into someone's site and steal their mail aliases file. Now send mail to everyone on their alias list, pretending to be them, offering them a cute animation program they can install. The animation will happen, but it will also send mail to all THEIR aliases (like the Christmas exec) and (unlike that) install our malicious snooping software.
Another trojan horse.
I'd like to take an exception to this description of the XMAS EXEC, since I too received a copy of it in '87 (but had the smarts not to run it). It didn't break or steal anything. It did 2 things: * Displayed an ASCII Xmas tree; * E-mailed a copy of itself to every e-mail address listed in the database of e-mail aliases. VM/CMS comes a very convenient, standard, and user-friendly program for keeping track of nicknames, real names, and e-mail addresses, stored in a flat file with tags, which any REXX program can easily read. I had serious doubts that the person who wrote it was malicious. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
Excerpts from mail.cypherpunks: 31-Jan-96 Re: FV Demonstrates Fatal F.. Dr. Dimitri Vulis@bwalk. (1227)
I'd like to take an exception to this description of the XMAS EXEC, since ............. I had serious doubts that the person who wrote it was malicious.
Agreed completely. I didn't mean to imply that the author was malicious, merely that it well-illustrated the "social engineering" approach to getting users to run untrusted code. What I was saying is that someone who *was* malicious could have used the same approach as the attack vector for getting our credit card snooper (or other nasty code) onto lots of consumer machines. This came up, in the discussion, because most people on this list seem to believe (correctly, I think) that the hardest part of the attack we outlined is the initial infection vector. -- Nathanielx -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com
Nathaniel Borenstein <nsb@nsb.fv.com> writes:
Dr. Dimitri Vulis@bwalk. (1227)
I'd like to take an exception to this description of the XMAS EXEC, since ............. I had serious doubts that the person who wrote it was malicious.
Agreed completely. I didn't mean to imply that the author was malicious, merely that it well-illustrated the "social engineering" approach to getting users to run untrusted code. What I was saying is that someone who *was* malicious could have used the same approach as the attack vector for getting our credit card snooper (or other nasty code) onto lots of consumer machines. This came up, in the discussion, because most people on this list seem to believe (correctly, I think) that the hardest part of the attack we outlined is the initial infection vector. -- Nathanielx
In '87, many people received an unsolicited executable from a known source, and ran it without thinking twice. (If A has B's address in his nickname file, then B probably knows and trusts A to some extent.) I hope users today know better. I don't see why stopping a keyboard sniffer is any harder than stopping any other virus/trojan - and most shops manage to keep them out. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
participants (13)
-
dlv@bwalk.dm.com -
Ed Carp, KHIJOL SysAdmin -
futplex@pseudonym.com -
Jon Lasser -
m5@dev.tivoli.com -
Mike Fletcher -
Nathaniel Borenstein -
Paul Foley -
Paul M. Cardon -
Rich Graves -
Rich Salz -
Richard Martin -
Tim Philp